ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalv_5.4.0.1/rzalvcnfgconfigwiz3.htm

425 lines
30 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create and join a new remote domain" />
<meta name="abstract" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure a remote directory server to be the EIM domain controller for the new domain." />
<meta name="description" content="This information explains how to create a new Enterprise Identity Mapping (EIM) domain for your enterprise and to configure a remote directory server to be the EIM domain controller for the new domain." />
<meta name="DC.Relation" scheme="URI" content="rzalvcnfg.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalvcnfgconfigwiz3" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create and join a new remote domain</title>
</head>
<body id="rzalvcnfgconfigwiz3"><a name="rzalvcnfgconfigwiz3"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create and join a new remote domain</h1>
<div><p>This information explains how to create a new Enterprise Identity
Mapping (EIM) domain for your enterprise and to configure a remote directory
server to be the EIM domain controller for the new domain.</p>
<div class="section"><div class="p">When you use the EIM Configuration wizard to create and join a
new domain, you can choose to configure a directory server on a remote system
to act as the EIM domain controller as part of creating your EIM configuration.
You must specify the appropriate information for connecting to the remote
directory server to allow you to configure EIM. If Kerberos is not currently
configured on the iSeries™ server, the wizard prompts you to start the
Network Authentication Service Configuration wizard.<div class="note"><span class="notetitle">Note:</span> The directory server
on the remote system must provide EIM support. EIM requires that the domain
controller be hosted by a directory server that supports Lightweight Directory
Access Protocol (LDAP) Version 3. Additionally, the directory server product
must have the EIM schema configured. For example, the IBM<sup>®</sup> Directory Server V5.1 provides this
support. For more detailed information about EIM domain controller requirements,
see <a href="rzalv_plan_controller.htm#rzalv_plan_controller">Plan
an EIM domain controller</a>.</div>
</div>
<div class="p">When you complete the EIM Configuration
wizard, you can accomplish these tasks: <ul><li>Create a new EIM domain.</li>
<li>Configure a remote directory server to act as the EIM domain controller.</li>
<li>Configure network authentication service for the system.</li>
<li>Create EIM registry definitions for the local i5/OS™ registry and the Kerberos registry.</li>
<li>Configure the system to participate in the new EIM domain.</li>
</ul>
</div>
<p>To configure your system to create and join a new EIM domain,
you must have all the following special authorities: </p>
<ul><li>Security administrator (*SECADM).</li>
<li>All object (*ALLOBJ). </li>
<li>System configuration (*IOSYSCFG). </li>
</ul>
<p>To use the EIM Configuration wizard to create and join a domain on
a remote system, complete these steps:</p>
</div>
<ol><li class="stepexpand"><span>Verify that the directory server on the remote system is active. </span></li>
<li class="stepexpand"><span>In iSeries Navigator,
select the system for which you want to configure EIM and expand <span class="uicontrol">Network
&gt; Enterprise Identity Mapping</span>.</span></li>
<li class="stepexpand"><span>Right-click <span class="uicontrol">Configuration</span> and select <span class="uicontrol">Configure...</span> to
start the EIM Configuration wizard. </span> <div class="note"><span class="notetitle">Note:</span> This option is labeled <span class="uicontrol">Reconfigure...</span> if
EIM has been previously configured on the system.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Welcome</span> page of the wizard, select <span class="uicontrol">Create
and join a new domain</span>, and click <span class="uicontrol">Next</span>.</span></li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM Domain Location</span> page,
select <span class="uicontrol">On the local Directory server</span> and click <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> This option configures the local directory server to act as the
EIM domain controller. Because this directory server stores all EIM data for
the domain, it must be active and remain active to support EIM mapping lookups
and other operations.</div>
<p>If network authentication service is not currently
configured on the iSeries server, or additional network authentication
configuration information is needed to configure a single signon environment,
the <span class="uicontrol">Network Authentication Services Configuration</span> page
displays. This page allows you start the Network Authentication Service Configuration
wizard so that you can <a href="../rzakh/rzakhconfig.htm">configure network authentication service</a>. Or, you can
configure Network Authentication Service at a later time by using the configuration
wizard for this service through iSeries Navigator. When you complete
network authentication service configuration, the EIM Configuration wizard
continues.</p>
</li>
<li class="stepexpand"><span>To configure network authentication service, complete these steps:</span><ol type="a"><li class="substepexpand"><span>On the <span class="uicontrol">Configure Network Authentication Service</span> page,
select <span class="uicontrol">Yes</span> to start the Network Authentication Service
Configuration wizard. With this wizard, you can configure several i5/OS interfaces
and services to participate in a Kerberos realm as well as configure a single
signon environment that uses both EIM and network authentication service.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Realm Information</span> page,
specify the name of the default realm in the <span class="uicontrol">Default realm</span> field.
If you are using Microsoft<sup>®</sup> Active Directory for Kerberos authentication,
select <span class="uicontrol">Microsoft Active Directory is used for Kerberos authentication</span>,
and click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify KDC Information</span> page,
specify the fully qualified name of the Kerberos server for this realm in
the <span class="uicontrol">KDC</span> field, specify <tt>88</tt> in the <span class="uicontrol">Port</span> field,
and click <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Specify Password Server Information</span> page,
select either <span class="uicontrol">Yes</span> or <span class="uicontrol">No</span> for
setting up a password server. The password server allows principals to change
passwords on the Kerberos server. If you select <span class="uicontrol">Yes</span>,
enter the password server name in the <span class="uicontrol">Password server</span> field.
In the <span class="uicontrol">Port</span> field, accept the default value of <samp class="codeph">464</samp>,
and click Next.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Select Keytab Entries</span> page, select <span class="uicontrol">i5/OS
Kerberos Authentication</span>, and cllick <span class="uicontrol">Next</span>.</span> <div class="note"><span class="notetitle">Note:</span> In addition you can also create keytab entries for the IBM Directory
Server for iSeries (LDAP), iSeries NetServer™,
and iSeries HTTP
server if you want these services to use Kerberos authentication. You may
need to perform additional configuration for these services before they can
use Kerberos authentication.</div>
</li>
<li class="substepexpand"><span>On the <span class="uicontrol">Create i5/OS Keytab Entry</span> page,
enter and confirm a password, and click <span class="uicontrol">Next</span>. This
is the same password you will use when you add the i5/OS principals to the Kerberos server.</span></li>
<li class="substepexpand"><strong>Optional: </strong><span>On the <span class="uicontrol">Create Batch File</span> page,
select <span class="uicontrol">Yes</span>, specify the following information, and
click <span class="uicontrol">Next</span>:</span> <ul><li>In the <span class="uicontrol">Batch file</span> field, update the directory path.
Click <span class="uicontrol">Browse</span> to locate the appropriate directory path,
or edit the path in the <span class="uicontrol">Batch file</span> field.</li>
<li>In the <span class="uicontrol">Include password</span> field, select <span class="uicontrol">Yes</span>.
This ensures that all passwords associated with the i5/OS service principal are included in
the batch file. It is important to note that passwords are displayed in clear
text and can be read by anyone with read access to the batch file. Therefore,
it is essential that you delete the batch file from the Kerberos server and
from the PC immediately after you use it. If you do not include the password,
you will be prompted for the password when you run the batch file.<div class="note"><span class="notetitle">Note:</span> You
can also manually add the service principals that are generated by the wizard
to Microsoft Active
Directory. To learn how to do this, see <a href="../rzakh/rzakhdefineiseries.htm">Add i5/OS principals to the Kerberos server</a></div>
</li>
<li>On the <span class="uicontrol">Summary</span> page, review the network authentication
service configuration details, and click <span class="uicontrol">Finish</span> to
return to the EIM Configuration wizard.</li>
</ul>
</li>
</ol>
</li>
<li class="stepexpand"><span>Use the <span class="uicontrol">Specify EIM Domain Controller</span> page
to specify connection information as follows for the remote EIM domain controller
that you want to configure: </span><ol type="a"><li class="substepexpand"><span>In the <span class="uicontrol">Domain controller name</span> field,
specify the name of the remote directory server that you want to configure
as the EIM domain controller for the domain that you are creating. The EIM
domain controller name can be the directory server TCP/IP host and domain
name or the directory server address.</span></li>
<li class="substepexpand"><span>Specify connection information for the connection to the domain
controller as follows: </span> <ul><li>Select the <span class="uicontrol">Use secure connection (SSL or TLS)</span> to
use a secure connection to the EIM domain controller. When this is selected,
the connection uses either Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) to establish a secure connection to protect EIM data transmission
over an untrusted network, such as the Internet. <div class="note"><span class="notetitle">Note:</span> You must verify whether
the EIM domain controller is configured to use a secure connection. Otherwise,
the connection to the domain controller may fail.</div>
</li>
<li>In the <span class="uicontrol">Port</span> field, specify the TCP/IP port on which
the directory server listens. If <span class="uicontrol">Use secure connection</span> is
selected, the default port is <samp class="codeph">636</samp>; otherwise, the default
port is <samp class="codeph">389</samp>.</li>
</ul>
</li>
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to test that
the wizard can use the specified information to successfully establish a connection
to the remote EIM domain controller.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify User For Connection</span> page,
select a <span class="uicontrol">User type</span> for the connection. </span> You
can select one of the following types of users: <span class="uicontrol">Distinguished name
and password</span>, <span class="uicontrol">Kerberos keytab file and principal</span>, <span class="uicontrol">Kerberos
principal and password</span>, or <span class="uicontrol">User profile and password</span>.
The two Kerberos user types are available only if network authentication service
is configured for the local iSeries system.The user type that you select determines
the other information that you must provide to complete the dialog as follows: <div class="note"><span class="notetitle">Note:</span> To
ensure that the wizard has enough authority to create the necessary EIM objects
in the directory, select <span class="uicontrol">Distinguished name and password</span> as
the user type and specify the LDAP administrator DN and password as the user.<p>You
can specify a different user for the connection; however, the user you specify
must have the equivalent of LDAP administrator authority for the remote directory
server.</p>
</div>
<ol type="a"><li class="substepexpand"><span>If you select <span class="uicontrol">Distinguished name and password</span>,
provide the following information:</span> <ul><li>In the <span class="uicontrol">Distinguished name</span> field, specify the LDAP
administrators distinguished name (DN) and password to ensure the wizard
has enough authority to administer the EIM domain and the objects in it.</li>
<li>In the <span class="uicontrol">Password</span> field, specify the password for
the distinguished name.</li>
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
a second time for validation purposes.</li>
</ul>
</li>
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos keytab file and principal</span>,
provide the following information:</span> <ul><li>In the <span class="uicontrol">Keytab file</span> field, specify the fully qualified
path and keytab file name that contains the Kerberos principal for the wizard
to use when connecting to the EIM domain. Or, click <span class="uicontrol">Browse...</span> to
browse through directories in the iSeries integrated file system to select
a keytab file. </li>
<li>In the <span class="uicontrol">Principal</span> field, specify the name of the
Kerberos principal to be used to identify the user.</li>
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
Kerberos realm name for which the principal is a member. The name of the principal
and realm uniquely identify the Kerberos users in the keytab file. For example,
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp>,
is represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
</ul>
</li>
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos principal and
password</span>, provide the following information:</span> <ul><li>In the <span class="uicontrol">Principal</span> field, specify the name of the
Kerberos principal for the wizard to use when connecting to the EIM domain. </li>
<li>In the <strong>Realm</strong> field, specify the fully qualified Kerberos realm
name for which the principal is a member. The name of the principal and realm
uniquely identify the Kerberos users in the keytab file. For example, the
principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
<li>In the <strong>Password</strong> field, specify the password for the Kerberos principal.</li>
<li>In the <strong>Confirm password</strong> field, specify the password a second time
for validation purposes. </li>
</ul>
</li>
<li class="substepexpand"><span>If you select <span class="uicontrol">User profile and password</span>,
provide the following information: </span> <ul><li>In the <span class="uicontrol">User profile</span> field, specify the user profile
name for the wizard to use when connecting to the EIM domain. </li>
<li>In the <span class="uicontrol">Password</span> field, specify the password for
the user profile.</li>
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
a second time for validation purposes.</li>
</ul>
</li>
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to test that
the wizard can use the specified user information to successfully establish
a connection to the EIM domain controller.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify Domain </span> page, provide the
following information: </span><ol type="a"><li><span>In the <span class="uicontrol">Domain</span> field, specify the name
of the EIM domain that you want to create. Accept the default name of <samp class="codeph">EIM</samp>,
or use any string of characters that makes sense to you. However, you cannot
use special characters such as <strong>= + &lt; &gt; , # ; \ </strong> and <strong>*</strong>.</span></li>
<li><span>In the <span class="uicontrol">Description</span> field, enter text
to describe the domain.</span></li>
<li><span>Click <strong>Next</strong>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <strong>Specify Parent DN for Domain</strong> dialog, select <span class="uicontrol">Yes</span> to
specify the parent DN the wizard should use for the location of the EIM domain
that you are creating. </span> This is the DN that represents the entry
immediately above your domain name entry in the directory information tree
hierarchy. Or specify <span class="uicontrol">No</span> to have EIM data stored in
a directory location with a suffix whose name is derived from the EIM domain
name.<div class="note"><span class="notetitle">Note:</span> When you use the wizard to configure a domain on a remote
domain controller you should specify an appropriate parent DN for the domain.
Because all necessary configuration objects for the parent DN must already
exist or the EIM configuration may fail, you should browse for the appropriate
parent DN rather than manually enter the DN information. Click <span class="uicontrol">Help</span> for
further information about using a parent DN.</div>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Registry Information</span> page, specify
whether to add local user registries to the EIM domain as registry definitions.
Select one or both of these user registry types:</span> <div class="note"><span class="notetitle">Note:</span> You do not
have to create the registry definitions at this time. If you choose to create
the registry definitions later, you need to <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">add the system registry definitions</a> and <a href="rzalvmanageconfigprops.htm#manage_config_props">update the EIM configuration properties</a>.</div>
<ol type="a"><li><span>Select <span class="uicontrol">Local i5/OS</span> to add a registry
definition for the local registry. In the field provide, accept the default
value for the registry definition name or specify a different value for the
registry definition name. The EIM registry name is an arbitrary string that
represents the registry type and specific instance of that registry. </span></li>
<li><span>Select <span class="uicontrol">Kerberos</span> to add a registry definition
for a Kerberos registry. In the field provided, accept the default value for
the registry definition name or specify a different value for the registry
definition name. The default registry definition name is the same as the realm
name. By accepting the default name and using the same Kerberos registry name
as the realm name, you can increase performance in retrieving information
from the registry. Select <span class="uicontrol">Kerberos user identities are case sensitive</span>,
if necessary.</span></li>
<li><span>Click <span class="uicontrol">Next</span>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>On the <span class="uicontrol">Specify EIM System User</span> page, select
a <span class="uicontrol">User type</span> that you want the system to use when performing
EIM operations on behalf of operating system functions. </span> These
operations include mapping lookup operations and deletion of associations
when deleting a local i5/OS user profile. You can select one of the following
types of users: <span class="uicontrol">Distinguished name and password</span>, <span class="uicontrol">Kerberos
keytab file and principal</span>, or <span class="uicontrol">Kerberos principal and
password</span>. Which user types you can select vary based on the current
system configuration. For example, if Network Authentication Service is not
configured for the system, then Kerberos user types may not be available for
selection. The user type that you select determines the other information
that you must provide to complete the page as follows: <div class="note"><span class="notetitle">Note:</span> You must specify
a user that is currently defined in the directory server which is hosting
the EIM domain controller. The user that you specify must have privileges
to perform mapping lookup and registry administration for the local user registry
at a minimum. If the user that you specify does not have these privileges,
then certain operating system functions related to the use of single signon
and the deletion of user profiles may fail.<p>If you have not configured the
directory server prior to running this wizard, the only user type you can
select is <span class="uicontrol">Distinguished name and password</span> and the only
distinguished name you can specify is the LDAP administrator's DN.</p>
</div>
<ol type="a"><li class="substepexpand"><span>If you select <span class="uicontrol">Distinguished name and password</span>,
provide the following information:</span> <ul><li>In the <span class="uicontrol">Distinguished name</span> field, specify the LDAP
distinguished name that identifies the user for the system to use when performing
EIM operations.</li>
<li>In the <span class="uicontrol">Password</span> field, specify the password for
the distinguished name.</li>
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
a second time for verification purposes.</li>
</ul>
</li>
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos principal and password</span>,
provide the following information: </span> <ul><li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
name for the system to use when performing EIM operations</li>
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
Kerberos realm name for which the principal is a member. The name of the principal
and realm uniquely identify the Kerberos users in the keytab file. For example,
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
<li>In the <span class="uicontrol">Password</span> field, enter the password for the
user.</li>
<li>In the <span class="uicontrol">Confirm password</span> field, specify the password
a second time for verification purposes. </li>
</ul>
</li>
<li class="substepexpand"><span>If you select <span class="uicontrol">Kerberos keytab file and principal</span>,
provide the following information:</span> <ul><li>In the <span class="uicontrol">Keytab file</span> field, specify the fully qualified
path and keytab file name that contains the Kerberos principal for the system
to use when performing EIM operations. Or, click <span class="uicontrol">Browse...</span> to
browse through directories in the iSeries integrated file system to select
a keytab file.</li>
<li>In the <span class="uicontrol">Principal</span> field, specify the Kerberos principal
name for the system to use when performing EIM operations.</li>
<li>In the <span class="uicontrol">Realm</span> field, specify the fully qualified
Kerberos realm name for which the principal is a member. The name of the principal
and realm uniquely identify the Kerberos users in the keytab file. For example,
the principal <samp class="codeph">jsmith</samp> in the realm <samp class="codeph">ordept.myco.com</samp> is
represented in the keytab file as <samp class="codeph">jsmith@ordept.myco.com</samp>.</li>
</ul>
</li>
<li class="substepexpand"><span>Click <span class="uicontrol">Verify Connection</span> to ensure that
the wizard can use the specified user information to successfully establish
a connection to the EIM domain controller.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Next</span>.</span></li>
</ol>
</li>
<li class="stepexpand"><span>In the <span class="uicontrol">Summary</span> panel, review the configuration
information that you have provided. If all information is correct, click <span class="uicontrol">Finish</span>.</span></li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalvcnfg.htm" title="Use this information to learn how to use the Enterprise Identity Mapping (EIM) Configuration wizard to configure EIM for your iSeries servers.">Configure Enterprise Identity Mapping</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="finalizeyoureimconfigurationforthedomain2"><a name="finalizeyoureimconfigurationforthedomain2"><!-- --></a><h2 class="topictitle2">Finalize your EIM configuration for the domain</h2>
<div><div class="section">When the wizard finishes, it adds the new domain to the <span class="uicontrol">Domain
Management</span> folder and you have created a basic EIM configuration
for this server. However, you must complete these tasks to finalize your EIM
configuration for the domain:</div>
<ol><li class="stepexpand"><span>Use the EIM Configuration wizard on each additional server that
you want to have <a href="rzalvcnfgconfigwizard.htm#rzalvcnfgconfigwizard">join
the new domain</a>.</span></li>
<li class="stepexpand"><span>Add EIM registry definitions to the EIM domain, if necessary, for
other non-iSeries servers and applications that you want to participate in
the EIM domain. These registry definitions refer to the actual user registries
that must participate in the domain</span> You can either <a href="rzalvadminaddusrreg.htm#rzalvadminaddusrreg">Add
system registry definitions</a> or <a href="rzalvadminaddappreg.htm#rzalvadminaddappreg">Add
application registry definitions</a> depending on your EIM implementation
needs.</li>
<li class="stepexpand"><span>Based on your EIM implementation needs, determine whether to: </span><ol type="a"><li><span><a href="rzalvadminidentcreate.htm#rzalvadminidentcreate">Create
EIM identifiers</a> for each unique user or entity in the domain and <a href="rzalvcrtidentifierassoc.htm#create_id_assoc">create identifier associations</a> for
them.</span></li>
<li><span><a href="rzalvcrtpolassoc.htm#create_pol_assoc">Create policy
associations</a> to map a group of users to a single target user identity.</span></li>
<li><span>Create a combination of these.</span></li>
</ol>
</li>
<li class="stepexpand"><span>Use the EIM <a href="rzalvtestmappings.htm#testmapping">test
a mapping</a> function to test the identity mappings for your EIM configuration. </span></li>
<li class="stepexpand"><span>If the only EIM user you have defined is the DN for the LDAP administrator,
then your EIM user has a high level of authority to all data on the directory
server. </span> Therefore, you might consider creating one or more DNs
as additional users that have more appropriate and limited <a href="../rzalv/rzalveservereimauths.htm">access control</a> for
EIM data. To learn more about creating DNs for the directory server, see <a href="../rzahy/rzahyunderdn.htm">Distinguished
names</a> in the IBM Directory Server for iSeries (LDAP) topic. The number of additional
EIM users that you define depends on your security policy's emphasis on the
separation of security duties and responsibilities. Typically, you might create
at least the two following types of DNs:<ul><li><strong>A user that has EIM administrator access control</strong><p>This EIM administrator
DN provides the appropriate level of authority for an administrator who is
responsible for managing the EIM domain. This EIM administrator DN could
be used to connect to the domain controller when managing all aspects of the
EIM domain by means of iSeries Navigator.</p>
</li>
<li><strong>At least one user that has all of the following access controls</strong>:<ul><li>Identifier administrator</li>
<li>Registry administrator</li>
<li>EIM mapping operations</li>
</ul>
This user provides the appropriate level of access control required for
the system user that performs EIM operations on behalf of the operating system.</li>
</ul>
<div class="note"><span class="notetitle">Note:</span> To use this new DN for the system user instead of the LDAP administrator
DN, you must change the EIM configuration properties for the iSeries server.
See <a href="../rzalv/rzalvmanageconfigprops.htm">Manage
EIM configuration properties</a> to learn how to change the system user
DN.</div>
</li>
</ol>
<div class="section"><p>You might need to perform additional tasks if you created a basic
network authentication service configuration, especially if you are implementing
a single signon environment. You can find information about these additional
steps by reviewing the complete configuration steps demonstrated by the scenario, <a href="../rzamz/rzamzenablessoos400.htm">Enable
single signon for i5/OS</a>.</p>
</div>
</div>
</div>
</body>
</html>